What is claimed is : 

1. Apparatus for representing entitlements for instances of services having entitlement 
IDs associated therewith in a receiver that receives the instances of services and the 

5 entitlement IDs, the apparatus comprising: 

a memory having a starting entitlement ID and a map having entitlement values for 
entitlements that have been given to the receiver, wherein the starting 
entitlement ID is used with the map and with an entitlement ID associated 
with a given instance of service to determine whether the receiver is entitled to 

10 the given instance of a service, and wherein the receiver grants access to the 

given instance of service only if the receiver is entitled to the given instance of 
service. 

2. The apparatus of claim 1 , wherein the map represents a sequence of entitlement IDs. 

15 

3. The apparatus of claim 2, wherein the starting entitlement ID is the first entitlement 
ID in the sequence of entitlement IDs. 

4. The apparatus of claim 3, wherein the sequence of entitlement IDs is a list. 

20 

5. The apparatus of claim 3, wherein the sequence of entitlement IDs is contiguous in the 
memory. 
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6. The apparatus of claim 5, wherein the map is a bit map representing the presence or 
absence of entitlements for the receiver for instances of service. 



7. The apparatus of claim 3, wherein: 
5 the map is represented by an array of elements having entitlement values that 

represent the presence or absence of entitlement; and 
the difference in the sequence of entitlement IDs between the starting entitlement ED 
and the entitlement ID associated with the given instance of service is used to 
determine the index value for a given element in the array, wherein the given 
l o element has the entitlement value of the given instance of service. 



15 



8. The apparatus of claim 7, wherein: 

the array has single-bit elements and the state of an element's bit indicates whether the 
receiver has the entitlement value represented by the array element. 

9. The apparatus of claim 1 , wherein: 

the memory is accessible only to an access control component of the receiver. 



1 0. The apparatus of claim 9, wherein: 
20 the starting entitlement ID and the map are set in response to a message received in 

the receiver. 
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The apparatus of claim 1, wherein: 

the starting entitlement ED and the map are set in response to a message received in 
the receiver. 

The apparatus of claim 11; wherein: 

the message contains a message starting entitlement ED and message map from which 
the starting entitlement ED and the map are set. 

The apparatus of claim 12, wherein: 

the receiver is given entitlements by at least one entitlement agent; 
each entitlement agent has a map for representing entitlements that have been given to 
the receiver; 

the message further specifies a given entitlement agent; and 

the message starting entitlement ED and the message map are used to set a starting 
entitlement ID and a map in the list for the given entitlement agent. 

The apparatus of claim 1, further comprising: 

a time value that indicates a time at which the entitlement values are not valid. 
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15. A method of providing a receiver with entitlements for instances of a service, the 
method comprising the steps of: 

making a representation of entitlements that includes a starting entitlement ID and a 
map that specifies a set of entitlement values; and 
5 sending a message to the receiver that contains the representation, wherein the 

receiver responds to the message by storing the representation and using the 
starting entitlement ED with the map and with an entitlement ID associated 
with a given instance of service to determine whether the receiver has an 
entitlement value for the given instance of a service. 

10 

16. The apparatus of claim 15, wherein the map represents a sequence of entitlement IDs. 

17. The apparatus of claim 16, wherein the starting entitlement ID is the first entitlement 
ID in the sequence of entitlement IDs. 

15 

1 8. The apparatus of claim 17, wherein the sequence of entitlement IDs is a list. 

19. The apparatus of claim 17, wherein the sequence of entitlement IDs is contiguous in 
the memory. 

20 

20. The apparatus of claim 19, wherein the map is a bit map representing the presence or 
absence of entitlements for the receiver for instances of service. 



82 



The method of claim 17, wherein: 

the map is represented by an array whose elements have entitlement values that 
represent the presence or absence of entitlement values; and 

the difference between the starting entitlement ID and the entitlement ED of the given 
instance of service is used to determine the index value for an element in the 
array, wherein the element having the index value represents the entitlement 
value of the given instance of service. 

The method of claim 21, wherein: 

the array has single-bit elements and the state of an element's bit indicates whether the 
receiver has the entitlement value represented by the array element. 

The method of claim 15, wherein: 

the receiver is given entitlements by at least one entitlement agent; and the method 

further includes the steps of: 
putting a specification of a given entitlement agent in the message, the receiver using 

the specification to locate a list whose elements include an apparatus for 

representing entitlements and using the apparatus in the message to set an 

apparatus in the list for the given entitlement agent. 
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24. The method of claim 15, further comprising the steps of: 

putting a time value that indicates a time at which the representation is not valid in the 
message; and 

the receiver storing the time value and using the time value to determine whether the 
5 representation is valid. 



25. The method of claim 15, further comprising the step, in the receiver, of: 

determining that the receiver has an entitlement value for the given instance of 
service; 

10 processing, in a secure element, a long-term key to obtain a short-term key; and 

using the short-term key to decrypt the given instance of service. 



26. The method of claim 15, wherein the sending step comprises the step of: 
sending to the receiver a long-term key within the message. 

27. The method of claim 15, wherein the message including the entitlement ID is 
authenticated by the receiver using information provided by an entitlement agent. 



28. The method of claim 15, wherein authentication is performed using RSA digital 
20 signatures. 
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29. A receiver for receiving instances of service and entitlement IDs associated therewith 
and entitlement values for the entitlement IDs, the receiver comprising: 

a port for receiving instances of service and at least a first message having an 
entitlement ID associated with a given instance of service; 
5 a memory coupled to the port having a starting entitlement ID and a map including 

entitlement values that have been given to the receiver, wherein the starting 
entitlement ID is used in conjunction with the map and with an entitlement ID 
associated with the given instance of service to determine the entitlement of 
the receiver for the given instance of service, and wherein the receiver grants 
10 access to the given instance of service only if the receiver is entitled to the 

given instance of service. 

30. The receiver of claim 29, wherein the map represents a sequence of entitlement IDs. 

15 31. The receiver of claim 30, wherein the sequence of entitlement IDs is a discrete list of 
entitlement IDs. 

32. The receiver of claim 30, wherein the starting entitlement ID is the first entitlement ID 
in the sequence of entitlement IDs. 

20 
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33. The receiver of claim 30, wherein the map is represented by an array of elements 
having entitlement values stored therein, and the index number of the element in the array 
having the entitlement value for a given instance of service is determined from the sequence 
of entitlements IDs by the difference between the starting entitlement ED and the entitlement 

5 ID for the given instance of service. 

34. The receiver of claim 29, wherein the array is a bit map. 

35. The receiver of claim 29, wherein the memory is accessible only to an access control 
10 component. 

36. The receiver of claim 29, wherein the starting entitlement ID and the map are set in 
response to a message received in the receiver. 
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37. A method of determining entitlements for instances of service in a receiver, the 
method comprising the steps, in the receiver, of: 

receiving at least a first message having a starting entitlement ID and a map having 
entitlement values that represent entitlements of the receiver for instances of 
service; 

storing in a memory at least the starting entitlement ID and the map of the first 
message; 

receiving at least a second message having an entitlement ID associated with a given 

instance of service; and 
determining whether the receiver is entitled to the instance of service by using the 

starting entitlement ID and the entitlement ID associated with the given 

instance of service to determine an element of the map which has the 

entitlement value of the given instance of service. 

38. The method of claim 37, wherein the map is stored as an array, the starting entitlement 
ID is the first entitlement ID in a sequence of entitlement IDs including the entitlement ID 
associated with the given instance of service, and the difference in the sequence between the 
starting entitlement ID and the entitlement ID associated with the given instance of service is 
used to determine an element in the array having the entitlement value for the given instance 
of service. 

39. The method of claim 38, wherein the map is a bit map. 
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40. The method of claim 37, further including: 

receiving at least a second message that specifies a given entitlement agent; and 
allocating a portion of the memory to the given entitlement agent. 

41 . The method of claim 40, further comprising: 

receiving at least a third message having a starting entitlement ID and a map; 
storing the starting entitlement ID and the map of the at least third message in the 
portion of the memory allocated to the given entitlement agent. 

42. The method of claim 37, wherein the first message further includes a time indicator 
representing expiration date of the entitlements and the storing step further includes storing 
the expiration date; and wherein the determining step further includes: 

determining whether the entitlement value for the given instance of service has 
expired. 

43. The method of claim 37, further comprising the steps of: 
receiving a third message having a long-term key; 

processing in a secure element the long-term key to obtain a short-term key; and 
decrypting the given instance of service with the short-term key. 

44. The method of claim 38, further comprising the step of: 

authenticating the first message using information provided by an entitlement agent 
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45. The method of claim 44, wherein the step of authentication is performed by using 
RSA digital signatures. 
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